Exploitation of Mysql vulnerabilities (excessive permissions, how to get the root password from low permissions)

As we all know, Mysql users cannot read files through Load_file or write files through into dumpfile or into outfile without the File Permission, but occasionally find a small trick on a website, that is, you can use load data infile to read local files to the database. In this way, you can use this bug to read files on the server with low permissions. The Code is as follows:
LOAD DATA LOCAL INFILE 'C:/boot.ini' INTO TABLE test FIELDS TERMINATED BY '';Later, I kept thinking about how to use this problem. A feasible approach is as follows:

We read the mysql database file. The user table of the mysql database stores the hash of all users. As long as we read the file, we almost read the root password.

Therefore, the local test is performed. Note that the currently connected user test has no File Permission:

Authorization = "class =" aligncenter lh_lazyimg slideshow_imgs "data-bd-imgshare-binded =" 1 "file =" http://www.bkjia.com/uploads/allimg/140528/00053T1E-0.jpg "height =" 466 "lazyloadpass =" 1 "src =" http://www.bkjia.com/uploads/allimg/140528/00053T1E-0.jpg "style =" opacity: 1 "width =" 649 "/>

Run the following statement:

LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user.MYD' INTO TABLE test2 fields terminated by '';

Thenselect * from test2;

We can find that everything has only one bad character. We use winhex to open the user. myd file.

OK. The problem is found. It is truncated by the 00 character. As a result, all the other things are not in the database. Next we will try to bypass this restriction.

After several attempts, you can add lines terminated by '\ 0' to the end. In this way, the truncation symbol is processed as a separator. The complete statement:

LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user2.MYD' INTO TABLE test2 fields terminated by '' LINES TERMINATED BY '\0';

Effect:
OK, complete!